Corvus Threat Intel
The Ransomware Gang Handbook: Your Guide to the Cybercriminals in the News
It starts with 5.25-inch floppy disks.
Cue up Every Rose Has Its Thorn by Poison — because it’s 1989. Computers aren’t a household necessity quite yet, the AIDS epidemic is ablaze, and a Harvard-taught evolutionary biologist, Dr. Joseph Popp, has mailed 20,000 copies of a computer-based questionnaire to the recent attendees of the World Health Organization AIDS conference.
The survey’s stated goal? Determine a patient’s likelihood of contracting AIDS.
When well-intentioned scientists and recipients upload the floppy disk to their computer, they are unaware of an unfortunate twist. A Trojan horse is infiltrating their systems, laying dormant — not unlike the virus they are hurriedly trying to understand — until they reboot their computers around the 90th time, which activates the malware. A ransom note fills the screen, ceasing further activity, and demands a payment of $189 to “PC Cyborg Corporation,” with a P.O. Box in Panama.
Voila! Ransomware is born.
What You Need To Know About Modern Ransomware
While Popp — who may have been motivated by a World Health Organization job rejection — failed to make his endeavor financially successful (not many cashier checks found their way to Panama), his early attempt remains an inspiration for how modern-day cybercriminals approach profit by utilizing scare-tactics. (Popp’s malware featured a bright red splash-screen and encrypted files to render them inaccessible — sound familiar?)
Ransomware has come a long way since floppy disks. It’s been three decades since Popp targeted unsuspecting scientists, and modern threat actors have only gotten more creative, more ambitious, and more talented. For many, this is their day job and passion project. We’ll take a look at the most recognizable ransomware gangs (some defunct, some rebranded, and some still going strong) to understand how they’ve succeeded — and what has worked to stop them. Our first order of business? Establishing how ransomware groups approach their work.
How Does the Ransomware Ecosystem Work?
Modern ransomware wouldn’t exist as we know it today without the rise of ransomware gangs. Only a handful of groups are responsible for a majority of the attacks that make headlines, enforcing the idea that there’s a centralized nature to the ransomware landscape. As we'll discuss below, that means it’s easier to combat primary groups with sanctions or government action — but that the faceless factions behind the screens often find ways to rebrand, coming back as new threats.
Picture an office with a view (of the dark web). Security researchers report that the highest-profile attacks — like Colonial Pipeline or Kaseya — are typically conducted by ransomware groups that function much like regular companies. When Conti’s internal communications and documents leaked, it became clear that their organizational structure mirrored where you might work; there were finance, human resources, and research and development teams, all reporting to upper management. They even had physical offices in Russia.
Employee perks? Conti had salaried workers, employees of the month (who received significant bonuses), and commission for negotiators. While not all high-profile groups are as coordinated as Conti, many attacks originate from countries that are knowingly lenient on cybercrime, such as Russia, Belarus, and other East European countries. Some are state-sponsored, like the hundreds of hackers that work directly for North Korea.
The High-profile Ransomware Culprits
LockBit/LockBit 2.0/LockBit 3.0 Ransomware Gang
⚠️ Claim to fame: The LockBit gang has developed a malware program (StealBit) that automates data exfiltration.
💲 Average ransom demand: $270,300
LockBit launched in 2019, and unlike other spotlight-stealing ransomware groups, they managed to fly under the radar. Originally known as “ABCD,” creatively coined after the .abcd extension it left on encrypted files, they didn’t gain traction as “LockBit” until they launched their Ransomware-as-a-Service (RaaS) affiliate program in 2020. For those unfamiliar, RaaS is when the creator of developed ransomware tools — in this instance, LockBit — works with affiliates, who may not have the resources to produce the software on their own, to execute sophisticated ransomware attacks. Typically, a percentage of the ransom earned goes to the affiliate hacker.
In the second half of 2021, LockBit 2.0 was introduced. This served as a turning point for LockBit, especially as it coincided with high-profile ransomware groups, like DarkSide, attracting unwanted attention from US government officials. There was room for another ransomware group to excel, and LockBit accelerated their efforts. LockBit 2.0 operators claimed that they had the fastest encryption software available for any active ransomware strain, but that statement hasn’t been confirmed (by anyone other than the ransomware group itself). As of May 25, LockBit 2.0 was responsible for 46% of all ransomware-related breach events this year, according to Palo Alto researchers.
The most recent development is the release of LockBit 3.0, which features a one-of-a-kind “bug bounty program.” This initiative encourages security researchers, as well as “all ethical and unethical hackers on the planet” to report any vulnerabilities or weaknesses in LockBit’s software and systems. Remuneration ranges between $1,000 to $1 million, with the highest reward going to anyone who reveals the identity of the “big bosses” of other RaaS programs.
⚠️ Claim to fame: Their attack on Kaseya attracted widespread media attention and government sanctions (which ultimately led to the Department of Justice’s involvement).
💲 Average ransom demand: $596,655
After RaaS gang GandCrab “retired” in 2019, REvil stepped up to the plate. An alleged member of the group, under the moniker “Unknown,” confirmed that they built on a prior codebase — most likely from the highly successful GandCrab, due to nearly identical string decoding functions. A year later, IBM Security X-Force reported that one in three ransomware attacks they investigated were caused by REvil (also known as Sodinokibi). IBM researchers estimated that a third of the victims ended up paying the ransom, and that their profits landed around at least $81 million by the end of 2020.
On July 2nd, 2021, REvil located three zero-day vulnerabilities in Kaseya’s VSA platform (a systems management and monitoring tool) and compromised over 30 managed service providers (MSPs), affecting 1,500 downstream customers. The fallout for REvil was consequential. Shortly after the attack on Kaseya, the group’s public site, negotiation portal, and “helpdesk” chat all went offline.
In October 2021, REvil ceased activity again — after only being back on the scene for several weeks — this time due to a multi-country operation to take their infrastructure offline. The U.S. government, along with foreign partners, were responsible for penetrating their systems, but in-fighting, the inability to pay affiliate partners, and continued scrutiny didn’t help their longevity. A month later, the Department of Justice announced the arrest of Yaroslav Vasinskyi, a 22 year-old Ukrainian citizen who is directly tied to the July 2021 attack against Kaseya. That same day, the department announced the seizure of $6.1 million in ransom funds associated with another member of REvil of Russian origin.
DarkSide Ransomware Group
⚠️ Claim to fame: Their attack on Colonial Pipeline skyrocketed their notoriety, which led to the U.S. State Department offering a $10 million reward for anyone with information on the group’s leadership.
💲 Average ransom demand: $3,600,000
DarkSide didn’t emerge in a vacuum. Researchers believe the operators have ties to other well-known ransomware groups. The ransomware strain, developed by Russian-speaking threat actors, is tailored to target large corporations — with lucrative ransom payouts to match. While the first DarkSide ransomware attack was recognized on August 10, 2020, original operators didn’t shift to a RaaS model until November 10th, when they announced their affiliate program.
DarkSide advertised itself as a modern-day Robin Hood by going after rich, corporate targets and donating some of its profits to charity (allegedly, if you’re in the camp that believes cybercriminals at their word). Contrary to their branding of being the ransomware group of “the people” rather than a proponent for disruption, their biggest claim to fame is perhaps the most consequential ransomware attack against critical infrastructure we’ve seen yet. In May 2021, the Colonial Pipeline, responsible for transporting 45% of the United States’ gas and fuel supply to the East Coast, suffered a breach that halted the movement of refined gasoline. This triggered major fuel shortages across parts of the country.
Colonial Pipeline paid a $4.4 million ransom in exchange for a decryption key, but that still left them scrambling to get properly up and running. Just days later, the DarkSide ransomware operation lost access to their servers and their cryptocurrency was seized by law enforcement. The FBI recovered 63.7 of the 75 Bitcoin paid as the Colonial Pipeline ransom, worth approximately $2.3 million at the time.
⚠️ Claim to fame: Their use of Rust, an unconventional programming language, makes it easier to evade detection from traditional security solutions.
💲 Average ransom demand: $917,000
BlackCat, also known as ALPHV, launched in November 2021 and confirmed that they were former members of DarkSide (ransomware gangs rebranding are the gift that keeps on giving). They rose to notoriety due to their use of an unconventional programming language: Rust. While Rust is gaining popularity, BlackCat was among the first to use it in their ransomware operations, a move which has since been copied by the Hive and Luna ransomware gangs. The use of this programming language allowed the operators to deploy their malicious software against many different operating systems with a number of technical advantages over other programming languages typically used in malware such as C or C++.
In February 2022, BlackCat attacked a German petrol distributor, coincidentally (or intentionally) thrusting them into the spotlight for the same reason that DarkSide faced government scrutiny. BlackCat operators said in an interview with TheRecord that they couldn’t always control their affiliates, but that they “easily cut ties” with those who were “non-compliant” with their policies.
The latest development in BlackCat’s approach is an upgrade to their data theft malware called “Exmatter.” While already claiming there is “no competitive software in the market,” they have updated their software to be more undetectable. Exmatter offers BlackCat affiliates with expanded capabilities, including an option to create a report of stolen files, the ability to corrupt processed files, and a self-destruct capability to quit and delete itself if executed outside of a corporate environment.
Based on these updates, BlackCat seems determined to stay at the top of the ransomware ecosystem for the foreseeable future, and with ransomware groups disbanding left and right, there are only more experienced hackers in the market free to join.
Conti Ransomware Group
⚠️ Claim to fame: As Russia invaded Ukraine, Conti pledged allegiance to Russia, splintering the group due to differing loyalties.
💲 Average ransom demand: $643,800
Conti first appeared in May 2020, and is considered a successor to the Ryuk ransomware operation. As Ryuk slowly faded from the scene, Conti appeared with similar malware code and the same exact ransom note template. In a one month span (from November to December 2021), Conti breached more than 40 organizations. Like we’ve seen with the other ransomware groups discussed here, there’s a bit of an Icarus paradox. Overwhelming success leads to their ultimate failure.
Conti was involved in several high-profile attacks, including on the city of Tulsa, Oklahoma. Conti not only claimed responsibility, but leaked 18,938 files (primarily police citations). But what brought them significant mainstream attention was their attack on Ireland’s publicly funded healthcare system, Ireland's Health Service Executive and Ireland’s Department of Health. On top of that, the FBI noted that Conti had targeted “no fewer than 16 healthcare and first responder networks in the U.S. within the past year.”
But the final blow for Conti was partially self-inflicted. The Conti team pledged their allegiance to Russia during its physical invasion of Ukraine, threatening to strike back at those who organize any cyberattacks against Russia. In retaliation, a Ukrainian security researcher leaked more than 170,000 internal communications, providing “the most valuable data dump ever about ransomware,” a threat analyst told the Washington Post.
Conti went offline soon after being embarrassingly outed, but that doesn’t mean it’s the end. While the recognizable brand may be over, it’s likely that gang members have diversified their approach by joining other ransomware operations.
Ransomware probably isn’t going away anytime soon, but we are finding ways to effectively combat cybercriminals. While sanctions and action from law enforcement is promising, enforcing strong controls at an organizational level (such as MFA, EDR and strong backups) and working with cyber insurers helps create a multi-pronged approach to preventing nightmare breach scenarios.
This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.
This week, our team at Corvus was pleased to take part in a major announcement by SentinelOne of its WatchTower Vital Signs Report app in the Singularity Marketplace. For cyber underwriters like Corvus, this app provides a real-time “inside-out” view of an enterprise’s cybersecurity health for improved policy accessibility and reduced underwriting risk. This represents an exciting and needed development in our industry, as insurers contend with major shifts in the nature of organizations’ IT systems and the nature of the threats they’re exposed to, and in policyholder expectations.
Welcome to our (cybersecurity) campsite, where even the forest is going digital. We’ve got the essentials: a warm fire, marshmallows to toast, and some very passionate horror enthusiasts. What’s a cool, fall night in the woods without the retelling of a cybersecurity nightmare? This time, we’ll be following a data exfiltration attack at Parakeet Incorporated, a research-driven pharmaceutical company.